Is Your Business Ready For PCI DSS 3.0?

PCC DSS 3.0 comes into force on the first day of next year. Is your organization prepared for the 20 changes to PCI DSS requirements that should be implemented by 2015?

Is Your Business Ready For PCI DSS 3.0?

On January 1, 2015, the most recent version of the Payment Card Industry Data Security Standard will reach its compliance deadline. PCI DSS 3.0 contains a substantial number of changes relative to the current version, and it appears that many businesses are behind the curve when it comes to PCI DSS 3.0 preparedness, even at this late stage.

A significant cause of delays in the implementation of PCI DSS 3.0 is that many businesses are simply not prepared for the scope of the changes. When PCI DSS 2.0 was released in 2010, there were only two evolving requirements. Version 3.0 contains 20 different changes to the requirements that are intended to reflect new thinking on security best practices and the technological changes that have occurred over the last few years.

if only one person were focused on the process per day, they should have begun implementing the changes in June of 2014. Of course, it depends on the organization but this suggestion may be underweight regarding actual time needed for most companies.

To be clear, version 3.0 is not a whole-scale rewriting of PCI DSS by any means — the standard is fairly mature, but the evolved requirements it contains do necessitate that businesses address a number of key areas of information security.

We don’t have the space to cover all of the changes here, you can see them for yourself in the PCI DSS: Summary Of Changes Document, but I would like to highlight a couple of the requirements that are most likely to impact businesses.

Penetration testing

The language surrounding the pen testing requirements has been tightened and made more explicit. Businesses need to be particularly careful that any external services they outsource their pen testing to adhere to an “industry-accepted penetration testing methodology”.

The good news is that this particular requirement doesn’t come into force until June, 2015, so organizations have some time.

Who is responsible?

PCI DSS 3.0 specifies that businesses must explicitly document which requirements are managed by vendors and which by the company itself. This is likely to have an impact on eCommerce retailers and others that outsource some of their credit card handling and cardholder data storage to other organizations: web hosting companies, payment providers, and so on. Merchants are required to be aware of where responsibility lies for controls and have documentation that demonstrates their awareness.

Combating malware

The PCI has long required that cardholder data handlers install anti-malware software on systems that are prone to infection and that’s still the case. But 3.0 additionally specifies that organizations implement processes that ensure that the status of systems that aren’t covered by this provision — those that aren’t usually prone to malware — has not changed. That is, they are not vulnerable to a recently emerged threat.

Additional changes include requirements that antimalware systems be capable of locking out users from disabling them.

These are only a small number of the coming changes. If your auditing cycle ends early in the year, then hopefully you are well prepared. If you’ve got a few months before your next audit, you can relax a little, but not by much — don’t make the mistake of underestimating the scope of the required changes.